<div dir="ltr">Mozilla votes "yes" on Ballot SC-059, v.2, Weak Key Guidance<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 6, 2023 at 10:17 AM Tom Zermeno via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg6033660176218502811"><div style="overflow-wrap: break-word;" lang="EN-US"><div class="m_6033660176218502811WordSection1"><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><b><span style="font-size:12pt">Purpose of the Ballot SC-59<u></u><u></u></span></b></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt">This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates related to the identification and revocation of certificates with private keys that were generated in a manner that may make them susceptible to easy decryption. It specifically deals with Debian weak keys, ROCA, and Close Primes Vulnerability. <u></u><u></u></span></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt">Notes: </span></span> <span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt"><u></u><u></u></span></span></p><ul type="disc"><li class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun">Thank you to the participants who voiced opinions and concerns about the previous version of the ballot. While there were many concerns about the inclusion of the Debian weak keys checks, we have decided to leave the checks in the ballot. Our reasoning is that we wanted to strengthen the guidance statements, to help CAs ensure compliant certificate generation. Future reviews of the BRs may cull the requirements, as is required by the needs of the community. <u></u><u></u></span></li><li class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun">We believe that the requested date of November 15, 2023, will allow enough time for Certificate Authorities to enact any changes to their systems to ensure that they perform the weak key checks on all CSRs submitted for TLS certificates. <u></u><u></u></span></li><li class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt;color:black">The changes introduced in SC-59 do not conflict with any of the recent ballots. As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version # and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.1). </span></span><span class="m_6033660176218502811eop"><span style="font-size:12pt;color:black"> </span></span><u></u><u></u></li></ul><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811eop"><span style="font-size:12pt">The following motion has been proposed by Thomas Zermeno of SSL.com and has been endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla. </span></span><span style="font-size:12pt"><u></u><u></u></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><b>- Motion Begins -</b> </span><span class="m_6033660176218502811eop"> </span><u></u><u></u></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></span><span class="m_6033660176218502811eop"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)"> </span></span><u></u><u></u></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)">MODIFY the Baseline Requirements as specified in the following Redline: </span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a" target="_blank"><span class="m_6033660176218502811normaltextrun"><span style="color:rgb(5,99,193)">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a</span></span></a><span class="m_6033660176218502811normaltextrun"> </span><span class="m_6033660176218502811eop"> </span><u></u><u></u></p><p><span class="m_6033660176218502811normaltextrun"><b>- Motion Ends<span style="color:rgb(0,120,212)"> -</span></b></span><span class="m_6033660176218502811eop"> </span><span style="font-size:12pt"><br><br><span style="color:rgb(14,16,26)">The procedure for approval of this ballot is as follows:</span><span style="color:black"><u></u><u></u></span></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt">Discussion (7 days) </span><u></u><u></u></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt">• Start time: 2023-06-26 22:00:00 UTC <u></u><u></u></span></span></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><span style="font-size:12pt">• End time: 2023-07-03 21:59:59 UTC</span></span><span class="m_6033660176218502811scxw53035567"><span style="font-size:12pt"> </span></span><u></u><u></u></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><b><span style="font-size:12pt">Vote for approval (7 days)</span></b></span><span class="m_6033660176218502811eop"><b><span style="font-size:12pt"> </span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><b><span style="font-size:12pt"> • Start Time: 2023-07-06 17:00:00</span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="m_6033660176218502811paragraph" style="vertical-align:baseline"><span class="m_6033660176218502811normaltextrun"><b><span style="font-size:12pt"> • End Time: 2023-07-13 16:59:59</span></b></span><span class="m_6033660176218502811eop"><b><span style="font-size:12pt"> </span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div></blockquote></div>